Search the Community
Showing results for tags 'https'.
-
Hey, I had it setup for a while with an Letsencrypt Certificate converted into p12. It worked flawlessly. Then my cert ran out and I had to renew it. So i did "certbot --renew" which worked and converted it into a p12 with openssl pkcs12 -export -out certificate.p12 -inkey privkey.pem -in cert.pem -certfile fullchain.pem But sinse then HTTPS is not working: (Sorry for German) I already tried to change the path, the certfile has all rights and I have no idea why it's not working. Also in the Dashboard it's not shown with HTTPS: The logs are attached. Maybe someone here has an idea. Thanks in Advance! embyserver.txt ffmpeg-remux-fee6f20e-34b8-41bf-8c2b-f9d6f324abf5_1.txt ffmpeg-transcode-ffc235e7-a070-4e74-965f-9e8f183059c8_1.txt hardware_detection-63715285219.txt
-
Hey, I'm fairly new to Emby and securing your sites through SSL certificates, but pretty experienced in portforwarding, dyndns, debian... Nevertheless I wanted to make my Emby portal opened to the public, HTTPS only. I followed the steps of this guide (https://github.com/MediaBrowser/Wiki/wiki/Secure-Your-Server). I have a subdomain (example.spr.io) on freedns.afraid.org updated through DynDNS of my FritzBox router and running Emby on my Debian Homeserver utilizing Proxmox for the virtualization. I had Let's encrypt already setup correctly and my certificates under /etc/letsencrypt/live/example.spr.io. Then I generated the value for the TXT record using certbot -d example.spr.io --manual --preferred-challenges dns certonly. During the generation, I was asked to add the TXT record as _acme-challenge.example.spr.io to my freedns account and successfully done so: Afterwards I used the command openssl pkcs12 -export -out examplesprio.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem to generate the .pfx file, moved it to /opt/emby-server/etc/ssl/examplesprio.pfx and applied the new settings: Issue: In theory everything should be fine and running, but it's not. Directly getting ERR_CONNECTION_RESET on requesting the site..
-
Hi guys, big thanks to all who have posted walk throughs for setting up domains, DDNS, SSLs, etc. So far I have the domain name and DDNS working for HTTP traffic. But for whatever reason HTTPS traffic just times out everytime. I am relying on the UPnP protocol on my router instead of port forwarding and the bindings are correct. 443 is going to 8920, 80 goes to 8096. But I cannot connect via https:// or :443 ever. Even setting up manual port forwarding does not work. So I cannot tell if my certificate is even working but I shouldn't need the certificate to even connect via HTTPS, right? If the port binding is there I should be able to connect I am using Certify the Web for the SSL and it has been correctly setup with my domain but I can't tell if Emby is really using it. Any help would be appreciated.
-
Greetings, I have run into what seems a very odd issue. Up to 2 days ago I been connecting into my QNAP TVS-862 4.4.1 / EMBY Version 4.1.1.0 via HTTPS without any issue.. However suddenly that all changed two days ago and I am now getting a HTTPS: unexpectedly closed the connection on both Chrome and Firefox. Emby connects fine via HTTP to the same port and is running as expected and has been set to manage secure remote connections as preferred but not required EMBY is reachable via a secure route-able subdomain secured with a WILDCARD Lets Encrypt Certificate. I use the same certificate on a number of different apps including my web server so it is unlikely the certificate is at fault. (The certificate was renewed several weeks ago and is valid) but I have regenerated the PCK file using the same script I been using for over a year just incase without success and of course stopped and restarted the server. I can see internal traffic coming in via HTTPS but it seems Emby rejects the traffic 17:42:00.234526 IP xx.x.x.xx.xxx.55151 > xx.x.x.xx.xxx: Flags , seq 788513049, win 65535, options [mss 1400,sackOK,TS val 16018303 ecr 0,nop,wscale 8], length 0 17:42:00.234689 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.55151: Flags [s.], seq 554121205, ack 788513050, win 28960, options [mss 1460,sackOK,TS val 1609257401 ecr 16018303,nop,wscale 5], length 0 17:42:00.363132 IP xx.x.x.xx.xxx.55151 > xx.x.x.xx.xxx: Flags [.], ack 1, win 333, options [nop,nop,TS val 16018385 ecr 1609257401], length 0 17:42:00.363464 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.55151: Flags [F.], seq 1, ack 1, win 905, options [nop,nop,TS val 1609257529 ecr 16018385], length 0 17:42:00.363876 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.55151: Flags [R], seq 554121206, win 0, length 0 17:42:00.394241 IP xx.x.x.xx.xxx.55151 > xx.x.x.xx.xxx: Flags [F.], seq 317, ack 2, win 333, options [nop,nop,TS val 16018400 ecr 1609257529], length 0 17:42:00.394319 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.55151: Flags [R], seq 554121207, win 0, length 0 17:42:00.394546 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.55151: Flags [R], seq 554121207, win 0, length 0 17:42:00.415004 IP xx.x.x.xx.xxx.15355 > xx.x.x.xx.xxx: Flags , seq 1762434976, win 65535, options [mss 1400,sackOK,TS val 16018404 ecr 0,nop,wscale 8], length 0 17:42:00.415183 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.15355: Flags [s.], seq 589246179, ack 1762434977, win 28960, options [mss 1460,sackOK,TS val 1609257581 ecr 16018404,nop,wscale 5], length 0 17:42:00.454062 IP xx.x.x.xx.xxx.15355 > xx.x.x.xx.xxx: Flags [.], ack 1, win 333, options [nop,nop,TS val 16018415 ecr 1609257581], length 0 17:42:00.454403 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.15355: Flags [F.], seq 1, ack 1, win 905, options [nop,nop,TS val 1609257620 ecr 16018415], length 0 17:42:00.463142 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.15355: Flags [R], seq 589246180, win 0, length 0 17:42:00.494200 IP xx.x.x.xx.xxx.15355 > xx.x.x.xx.xxx: Flags [F.], seq 218, ack 2, win 333, options [nop,nop,TS val 16018428 ecr 1609257620], length 0 17:42:00.494593 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.15355: Flags [R], seq 589246181, win 0, length 0 17:42:00.494747 IP xx.x.x.xx.xxx > xx.x.x.xx.xxx.15355: Flags [R], seq 589246181, win 0, length 0 I cannot see any errors in the server log which is not ideal, a search of the logs 2 days ago shows connects via HTTPS working fine 2019-07-07 10:31:34.861 Info HttpServer: HTTP GET https://xxx.xxx.xxx:xxxx/emby/system/info/public. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 I have reached about as far as I can diagnose Hoping for some clever suggestions on what to do next.. Thanks and HELP!!
-
https://letsencrypt.org/ the free certificate authority it in public beta now and allows everybody to get valid free SSL certificates. It would be nice to have support for getting SSL certificates via their ACME protocol directly from emby. This would make it really easy for people to setup secure access to the server from the internet.
- 106 replies
-
- 10
-
Set up Secure Connection w/Domain Name--Login Screen Loads SLOWLY
Rohanaj posted a topic in General/Windows
I finally decided it was time to look into getting a secure connection with SSL certificate set up on my server, so I went through the steps of grabbing a domain name and a SSL certificate. The name was easy and the certificate was alright, just a little slower to get because of my own stupidity. After various attempts doing incorrect things between Emby settings and port forwarding, I got the .pfx file linked in Emby, the domain name listed, and all the ports set up correctly. I went to test it by doing a complete new install of the Emby app on my android phone - entered my new HTTPS address in the path and 443 in the android port box, and it took me to the server's login page almost instantly, so I was super happy about that. I then set up an Apple TV box on an external network to try that, and again it loaded up the login screen right away after putting the address in. The oddity that I'm running into now is that I've also tested it in four different web browsers, both from two computers and an iPad on my local network as well as from two different computers off the network just to make sure, and came up with the following results in terms of how quickly the browsers would actually pull up the login page after entering the address in the browser bar: - Safari = almost instantly, 1-2 seconds - Chrome = 17-22 seconds - Firefox = 20-23 seconds - Internet Explorer = 22-26 seconds If I use my straight IP address to get to my server from any of those computers, it's a 1-2 second load time no matter what browser I use. I haven't had time to stream anything for a significant amount of time through the secure connection, so I don't know if streaming is affected or not yet - after a quick forum search, I did see a thread about reverse proxy potentially causing streaming issues, but I'm not running a reverse proxy at all. Has anyone noticed problems with streaming when going through a domain name with SSL? Anyway, after all that explanation, my real question about the login screen is whether others have seen it as a common thing for the login page to be pulled up so slowly when using a domain and SSL certificate to get to the server, especially with the major non-Apple browsers? Thanks for any feedback.- 3 replies
-
- web browsers
- SSL
- (and 5 more)
-
Hello, I used Swynol's guide on setting up a reverse proxy in attempt to set up my own (Reference Post #5 - https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy/). In terms of NGINX config set up, I essentially copy and pasted his last post replacing his domains and sub-domains with my own. For the Emby server set up I have the public https port to 443, the external domain set, and the secure connection mode set to "Reverse Proxy". I have manually checked the server config xml and verified that "requirehttps" is false. I also have my 80 and 443 ports forwarded to the NGINX server on my router. The issue I'm getting is that when I try to access my server I get a "ERR_TOO_MANY_REDIRECTS" in chrome. I've exhausted my google-fu techniques and come to seek knowledge from others who may be more savvy with NGINX and reverse proxies.
- 17 replies
-
- reverse proxy
- NGINX
-
(and 2 more)
Tagged with:
-
I'm trying to connect to the hosted web app through HTTPS, because Chromecast now needs it to work properly. I'm told to select my server, and it won't connect to it. I can connect to it just fine on HTTP. So, does anyone know what's wrong and how I fix it?
- 2 replies
-
- chromecast
- https
-
(and 1 more)
Tagged with:
-
Hi All Still working things out coming from Plex. First thing I wanted was a secure https certificate so I set up a Let's encrypt and a internal reverse proxy pointing to the new server. But! Emby keeps adding the port to my domain, which is included in the domain, https://domain.com:8920 Anyway to tell Emby to not use the port number in the link? (Writing nothing in the external port is a no go)
-
Hi, In Settings there is a section named "Advanced" or "Hosting". This is the mine: And this is a section of my Dashboard: The server is running in local http port (8096), there is no option to enable https in local. Nor, in my opinion, does it make sense to activate https on local connections. My question is: does the "Local https port number" option make any sense? ----------------------------------------------------------------------------------------------------- And another question is about remote access. I have disabled this option, why the Dasboard shows "Remote (WAN) access" if it's inactive? This leads to confusion when remote access is not activated.
-
Hi everyone, I use Emby for now 5 months and I love this soft. I have recently remarked that the web app app.emby.media and tv.emby.media have a https configured, but also have http that do not redirect to https Is there a plan to do a redirection to http to https ?
-
Hello, i started using emby on a synology nas this week and everything was working fine. This morning i wanted to setup the https connection with emby so i have setup an ssl certificate and used the settings: "Secure connection mode" to "Prefered but not required". Than, the emby server restarted but now i can't start the emby package. Every time i start the package from the synology's package manage, emby stop without even being able to access to the website. Thanks.
-
Hi, I've been having issues since upgrading (fresh install and restore using backup plugin) to 3.4.1.0. Basically what happens is emby-server will be running for hours without issue (sometimes only minutes), and then it just stops. Usually while in the middle of playback. The service doesn't stop, it just stops responding to https or http requests. I've verified this by running a curl command to look at the headers returned when this is happening. curl --silent --insecure --connect-timeout 5 --max-time 8 --head http://emby.local:8096 | grep "HTTP/1.[01] 302 Found" curl --silent --insecure --connect-timeout 5 --max-time 8 --head https://emby.local:8920 | grep "HTTP/1.[01] 302 Found" My setup is the following: Hypervisor: ESXi 6.5.0 Update 1 (Build 7967591) CPU: AMD Ryzen 7 1700 OS: Ubuntu 18.04 LTS vCPUs: 8 RAM: 2GB What I've done to combat this is I've create a cron script that runs every minute to check on the status of emby's http/https responses and restart the service accordingly: sleep 10s date=`date '+%F %H:%M:%S'` if [[ $(netstat -ntlp | grep LISTEN | grep EmbyServer | grep 8096) ]]; then if [[ $(curl --silent --insecure --connect-timeout 5 --max-time 8 --head http://emby.local:8096 | grep "HTTP/1.[01] 302 Found") ]]; then if [[ $(netstat -ntlp | grep LISTEN | grep EmbyServer | grep 8920) ]]; then sleep 1s if [[ $(curl --silent --insecure --connect-timeout 5 --max-time 8 --head https://emby.local:8920 | grep "HTTP/1.[01] 302 Found") ]]; then sleep 1s else echo "$date : emby-server is not responding to https requests... restarting service" /usr/sbin/service emby-server restart fi else echo "$date : emby-server is not listening https requests... restarting service" /usr/sbin/service emby-server restart fi else echo "$date : emby-server is not responding to http requests... restarting service" /usr/sbin/service emby-server restart fi else echo "$date : emby-server is not listening http requests... restarting service" /usr/sbin/service emby-server restart fi I set this script up yesterday and I've already had a few occurrences: 2018-05-16 21:57:11 : emby-server is not responding to http requests... restarting service 2018-05-16 21:59:11 : emby-server is not responding to http requests... restarting service 2018-05-17 09:52:11 : emby-server is not responding to https requests... restarting service I've attached my server logs, but I really don't see what the issue is. I will note that *sometimes* when https doesn't work, http will continue to work. And when you log in to the admin console, it shows remote connections as http instead of https. This is making me feel like this is a config issue. Suggestions? Thanks! emby-server_logs.7z
-
Hello all, A friend of mine reached out to me the other day to let me know that they could no longer connect to my emby server. It had been running fine, so I was puzzled. When I went and looked at the settings, it turns out that the server no longer appears to be running over HTTPS, only on HTTP. I don't even see any option for HTTPS other than under Expert->Advanced where I can set the external HTTPS port. I am currently on the 3.5 beta. Everything works fine right now on HTTP, but I would much prefer to be running over HTTPS again. Anyone have any thought or suggestions? Thanks! N
-
Hi, I'm unable to connect to my Emby server from my LG smart TV (webos 4.70.85) over https. Certificate is properly configured and signed (Let's Encrypt Authority X3). I have no issues with connecting using Emby app on Android, iOS and even casting to Chromecast (and I always connect over https). Do you have any idea how can I address this issue?
- 1 reply
-
- https
- certificate
-
(and 1 more)
Tagged with:
-
I have recently bought a certificate and wish to enable HTTPS, However I seem to be unable to enable it correctly, nomatter what my HTTP works, But I cannot get https to work correctly atall My settings are here below, followed by the error I get. Any suggestions?
-
Hey, I have read most of the posts on the forum and i am still really struggling with setting up external connection and SSL. Now I have bought a domain through namecheap.com and have been following the guide Setting up SSL for Emby (WIP) by Swynol Now i have followed every step but I cant seem to get it to work. now I am not that technically gifted but know my way around a computer. Please could some help even further or dumb the process a bit even though its dumbed down already. I struggle with ssl free as it never finds my txt line to verify my domain. So any help would be greatfully appreciated Setting up SSL for Emby (WIP)
-
After using Emby for a while I'm so happy with it that I decided to publish it to the Internet so I can listen to my music when I'm away, without needing to VPN home. I'm publishing Emby behind a Squid reverse proxy, using SSL termination. Meaning: Internet Client -----HTTPS SSL connection-----> | Squid reverse-proxy -----PLAIN HTTP-----> Emby | INTERNET | LAN Now I have a couple of questions/features requests regarding publishing Emby to the "evil" Internet: Is there any known issue/concern that I should be aware off that is not too relevant while Emby is only visible in the LAN but that can be dangerous if Emby is visible from the Internet? I'm worried about brute force attacks. Is it possible to enable a captcha on the login screen so for example after 3 failed logins the user will need to validate the captcha to try to login again? About the login screen: would it be posible to have a configuration parameter in Emby to "harden" the login form like for example disabling autocomplete on the username field? Is it possible to enable a configuration parameter to hide all users from the login screen, server wide, instead of doing it on user basis only? How does the "in-network sign-in" with the easy pin code works? How does Emby know that the user is logging in from the LAN or from the Internet? What happen if the user is in the Internet but Emby is behind a reverse-proxy in the LAN (all requests comes from the LAN IP of the proxy)? Would Emby check the X-Forwarded-For HTTP header if the reverse-proxy provides it? I know these are a lot of questions and some things may not be even implemented right now, but if they are not, maybe they can be a good idea to implement in the near future since they can help us to protect our server for the "evil" Internet. Cheers
-
Hello Guys, facts: installed emby on a debian vps. allow 8096 and 8920 in ufw buy a Domain at namecheap. create A Record for the VPS IP. create a letsencrypt cert (https://emby.media/community/index.php?/topic/42315-creating-a-letsencrypt-ssl-certificate-for-emby/ Emby config: add certfolder to /opt/emby-server/ssl/ssl.pfx Emby config: add external Domain "https://xxx.xxx" Problem: I got emby over "http://xxx.xxx:8096"but on "https://xxx.xxx:8920" I got "ERR_TUNNEL_CONNECTION_FAILED" can you help me with this issue? thanks
-
I migrated my Emby server from a Windows based to an CentOS based, and before the migration, my Emby server would say on the dashboard, "Running on HTTP Port# and HTTPS Port#, now it only says "Running on HTTP Port# " I have added both ports used for HTTP and HTTPS to the /etc/firewalld/services/embyserver.xml , and i know the firewall settings have not changed. I have confirmed its not a port issue since i switched the used ports in emby for http and https and both ports are able to get out. At this point I'm not really sure what the problem is. Thanks in advance
-
Orsay Samsung Smart TV, Third Party App and the new HTTPS redirect.
Blob posted a topic in Samsung Smart TV
Hi, Some time ago i read that the ORSAY third party app dev's did not see a problem in not developing HTTPS support. My Samsung is run remotely through the Internet, and I would really like that developers think of security. Anyway... How would the Third Party App behave if i enable the new setting on the server to redirect to HTTPS.. Will the App ignore this and still use HTTP because it does not support HTTPS? Thanks /Blob -
There have been a few posts around the Forum recently regarding SSL, HTTPS and Security. I'm by no means an expert on reverse proxies but have had alot of dealings with them over the past few months and with the help of @@pir8radio and @@shorty1483 have a fairly well setup and secure system to access my services from outside of my LAN. This guide is to help people access their Emby Server and any other services behind a reverse proxy. This is based on NGINX but it also works for Apache and IIS. So firstly, what is and why do i need a reverse proxy? If you’re like me and have many services running on servers or PCs in your home, i.e. Emby, Plex, Sonarr, Radarr, Ombi, Organizer, CP, home automation, CCTV and anything else. Then you have to open multiple ports on your router to direct traffic to where it needs to go. With a Reverse Proxy you only have to open 1 or 2 ports. Normally all HTTP traffic is sent over port 80 and HTTPS traffic over port 443. In my case I want all traffic served over HTTPS and port 443 so I close all ports bar 443. Another reason to use a reverse proxy is that you can use your own domain certs easily and fine tune your security settings. If you want to test your Domain security go here - https://securityheaders.io/ Chances are your rating will be an F. with reverse proxy you can easily attain a B+/A Grade. You can also setup a web faced server running NGINX and then have additional servers behind that hidden on your LAN, however if your like me I have NGINX running on the same machine as emby. I only access Emby remotely do i still need a reverse proxy? Difficult to answer. No you dont need a reverse proxy to access Emby, but if you do then you can fine tune the security. This guide assumes you have a Domain name, your own Certs to go with your domain name and either have your domain name pointed to a static PC (your home WAN IP) or have Dynamic DNS setup. Have I convinced you yet? I run Windows OS at home so this guide follows a Windows setup but the config will be the same across all OS. 1. Download the latest version of NGINX from here - http://nginx-win.ecsds.eu/ as of writing this guide its version 1.13.0.1 Violet. 2. Extract the ZIP file somewhere easy to find. C:\NGINX. a. To make future updating easier when you extract the ZIP the file is called nginx 1.13.0.1 Violet. Rename it to just NGINX. 3. Before we get started on the config of NGINX lets install it as a service. a. Download NSSM b. Extract the ZIP c. Copy correct x86 or x64 nssm.exe to C:\Windows\System32 d. Open a CMD, type ‘nssm install nginx’ e. Fill in the Application Path – C:\NGINX\nginx.exe Startup directory – C:\NGINX Service name – NGINX. Install Service Don’t Start the service yet, we need to configure NGINX. To create a config I use notepad++. I will go through each setting first before supplying a copy of my current config. This is how the config starts. worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## } This part is fairly standard. anything starting with # is disabled or just a comment. The config is broken down into blocks. the first block here is the HTTP block. The HTTP block contains all the headers required to do the work of the reverse proxy for example when someone browses to emby.mydomain.com it matches a header in NGINX and it knows where to forward the data. The only change in the section above over a default config is the addition of server_tokens off; this is the first of our security tweaks. This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses. ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } This next block is called a server block and it nested inside the HTTP block. This block is optional, it is only used to redirect any users from HTTP to HTTPS if you want to force users on HTTPS only. listen 80 and listen [::] 80 are default ports for HTTP traffic for IPv4 and IPv6. return 301 https://$host$request_uri; is what rewrites the request from HTTP to HTTPS. Again only needed if you are forcing everyone to use HTTPS only. ##EMBY Server## server { listen 80; listen [::] 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNaUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } The next server block is where the magic happens. First the listen 80; and listen [::] 80; are only needed if you want to allow users to access your emby server on port 80. otherwise delete these 2 lines to force all users to HTTPS access. Listen 443 ssl; and listen [::] 443 ssl; are the default HTTPS ports again for IPv4 and IPv6. server_name emby.mydomain.com will be your subdomain and how you access emby from outside your network. Now lets look at the SSL certificates, for my setup I created a .pem file. this file contains both my cert, intermediate and CA root cert in one file. This link gives you an idea how to do it - https://www.digicert.com/ssl-support/pem-ssl-creation.htm you should now have your cert.pem and a private.key file. for simplicity copy these files to C:\NGINX\conf\SSL (you have to create the SSL folder) This tells NGINX where to find the certs. ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; For now I am going to skip over the #add_header Public-Key-Pins - as you can see i have it disabled by using # in front of it. I will explain why later on. The next section adds further security tweaks, you will need to change the content-security-policy domain names to your own. you need to list all your subdomains i.e. sonarr.mydomain.com radarr.mydomain.com emby.my....... you get the idea. add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; The next part is called the location block. This is what tells your domain name emby.mydomain.com where the data should go. In this case it forwards everything to proxy_pass http://192.168.10.10:8096 you can also forward to proxy_pass http://127.0.0.1:8096 if it runs on the same box as NGINX. the rest of the location block is default stuff to help the data get to where it is needed. Your Config should now look like the one below. we need to save it to C:\NGINX\conf and name it nginx.conf worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } And thats it, you can now start your NGINX services by running services.msc and starting NGINX.
- 4 replies
-
- 10
-
- NGINX
- reverse proxy
- (and 5 more)
-
XBOX ONE will not connect to Emby server via https using port 8920. I can connect with Chrome on https to the server with no issues and I was connected to it via https before but I deleted the server from my XBOX because I wanted to re-add it by DNS name instead IP like it was. After doing that i can only connect via port 8096 and that works with either DNS or IP. Below is the part of the logs on my last failed connection attempt, is there something I need to change on the server? Thanks GaminKake 2017-09-19 18:04:30.745 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 3.2.30.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 4.4.0.93 64-Bit OS: True 64-Bit Process: True Mono: 5.2.0.215 (tarball Mon Aug 14 15:46:12 UTC 2017) Processor count: 2 Program data path: /var/lib/emby-server Application directory: /usr/lib/emby-server/bin Mono.Btls.MonoBtlsException: Ssl error:1000009c:SSL routines:OPENSSL_internal:HTTP_REQUEST at /build/mono-5.2.0.215/external/boringssl/ssl/handshake_server.c:581 at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncProtocolRequest asyncRequest, Mono.Net.Security.AsyncOperationStatus status) [0x0002a] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (Mono.Net.Security.AsyncOperationStatus status) [0x0006b] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation () [0x0000d] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.AsyncProtocolRequest.StartOperation () [0x00000] in <d2c057d9d34d4e029e580897bd60340c>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <204f770036d441bb8dfd3daba3550e83>:0 at Mono.Net.Security.MobileAuthenticatedStream.EndProcessAuthentication (System.IAsyncResult result) [0x00064] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.MobileAuthenticatedStream.EndAuthenticateAsServer (System.IAsyncResult asyncResult) [0x00000] in <d2c057d9d34d4e029e580897bd60340c>:0 at System.Threading.Tasks.TaskFactory`1[TResult].FromAsyncCoreLogic (System.IAsyncResult iar, System.Func`2[T,TResult] endFunction, System.Action`1[T] endAction, System.Threading.Tasks.Task`1[TResult] promise, System.Boolean requiresSynchronization) [0x00019] in <204f770036d441bb8dfd3daba3550e83>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <204f770036d441bb8dfd3daba3550e83>:0 at SocketHttpListener.Net.HttpConnection+<InitStream>c__async0.MoveNext () [0x000fd] in <551a698639e347b7b41ff2457f619ff3>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <204f770036d441bb8dfd3daba3550e83>:0 at SocketHttpListener.Net.HttpConnection+<Create>c__async1.MoveNext () [0x000bb] in <551a698639e347b7b41ff2457f619ff3>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in <204f770036d441bb8dfd3daba3550e83>:0 at SocketHttpListener.Net.EndPointListener+<ProcessAccept>c__async0.MoveNext () [0x00126] in <551a698639e347b7b41ff2457f619ff3>:0 Mono.Btls.MonoBtlsException at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncProtocolRequest asyncRequest, Mono.Net.Security.AsyncOperationStatus status) [0x0002a] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (Mono.Net.Security.AsyncOperationStatus status) [0x0006b] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation () [0x0000d] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.AsyncProtocolRequest.StartOperation () [0x00000] in <d2c057d9d34d4e029e580897bd60340c>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <204f770036d441bb8dfd3daba3550e83>:0 at Mono.Net.Security.MobileAuthenticatedStream.EndProcessAuthentication (System.IAsyncResult result) [0x00064] in <d2c057d9d34d4e029e580897bd60340c>:0 at Mono.Net.Security.MobileAuthenticatedStream.EndAuthenticateAsServer (System.IAsyncResult asyncResult) [0x00000] in <d2c057d9d34d4e029e580897bd60340c>:0 at System.Threading.Tasks.TaskFactory`1[TResult].FromAsyncCoreLogic (System.IAsyncResult iar, System.Func`2[T,TResult] endFunction, System.Action`1[T] endAction, System.Threading.Tasks.Task`1[TResult] promise, System.Boolean requiresSynchronization) [0x00019] in <204f770036d441bb8dfd3daba3550e83>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <204f770036d441bb8dfd3daba3550e83>:0 at SocketHttpListener.Net.HttpConnection+<InitStream>c__async0.MoveNext () [0x000fd] in <551a698639e347b7b41ff2457f619ff3>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <204f770036d441bb8dfd3daba3550e83>:0 at SocketHttpListener.Net.HttpConnection+<Create>c__async1.MoveNext () [0x000bb] in <551a698639e347b7b41ff2457f619ff3>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <204f770036d441bb8dfd3daba3550e83>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in <204f770036d441bb8dfd3daba3550e83>:0 at SocketHttpListener.Net.EndPointListener+<ProcessAccept>c__async0.MoveNext () [0x00126] in <551a698639e347b7b41ff2457f619ff3>:0
-
Hello, I know the technical reasons for the following issues have already been discussed but I was wondering when will they be fixed? Emby on my android phone running Marshmallow is pretty much useless at this point I might as well uninstall it. I definitely would not have bought the premier version if I were looking at it today. The big issues I see are: 1) Lack of External SD Card support. Mega Huge, Monstrous even, in my book. I can't even use the old work around of syncing to the external card and then using a 3rd party player anymore. 2) HTTPS doesn't work over wlan - meh no biggie except - 3) No offline playback support I'd rather not have to move to Plex (assuming they can do it) as I've already paid for Emby but I do want to use the nice 128GB SD card in my phone. Any timeline at all? Are we talking days, weeks, months, years???? Please? Thanks
-
Hello guys! I'm new to Emby but I like the program very much! I have one little problem, can't get the HTTPS function to work: the server doesn't generate a SSL certificate. But that is not my question today. Because my HTTPS is not working, I no stream via HTTP to locations outside my home network. Normally I don't stream a lot, but now, because of the holidays I do stream a lot. My question, is it safe to stream over HTTP. Because everyone can watch what I'm streaming would I not be marked for piracy or something? Because I'm up-and-downloading files that are protected by copyright. thanks in advance, kind regards, Ronnie van der Woude